karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Guillaume Nodet (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (KARAF-4201) Often Misused: Authentication
Date Thu, 20 Oct 2016 18:55:59 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Guillaume Nodet updated KARAF-4201:
-----------------------------------
    Priority: Minor  (was: Major)

> Often Misused: Authentication
> -----------------------------
>
>                 Key: KARAF-4201
>                 URL: https://issues.apache.org/jira/browse/KARAF-4201
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>            Priority: Minor
>             Fix For: 4.1.0, 4.0.8
>
>
> HP Fortify and SciTools Understand were used to perform an application security scan
on the karaf source code.
> The information returned by the call to getByName() on line 150 is not trustworthy. Attackers
can spoof DNS entries. 
> File: main/src/main/java/org/apache/karaf/main/InstanceHelper.java
> Line: 150
> InstanceHelper.java, lines 142-166:
> {code}
> 142 static void setupShutdown(ConfigProperties config, Framework framework) {
> 143     writePid(config.pidFile);
> 144     try {
> 145         int port = config.shutdownPort;
> 146         String host = config.shutdownHost;
> 147         String portFile = config.portFile;
> 148         final String shutdown = config.shutdownCommand;
> 149         if (port >= 0) {
> 150             ServerSocket shutdownSocket = new ServerSocket(port, 1, InetAddress.getByName(host));
> 151             if (port == 0) {
> 152                 port = shutdownSocket.getLocalPort();
> 153             }
> 154             if (portFile != null) {
> 155                 Writer w = new OutputStreamWriter(new FileOutputStream(portFile));
> 156                 w.write(Integer.toString(port));
> 157                 w.close();
> 158             }
> 159             Thread thread = new ShutdownSocketThread(shutdown, shutdownSocket, framework);
> 160             thread.setDaemon(true);
> 161             thread.start();
> 162         }
> 163     } catch (Exception e) {
> 164         e.printStackTrace();
> 165     }
> 166 }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message